Department for Work and Pensions

Agile Security Testing Service

Incomplete applications

9
Incomplete applications
6 SME, 3 large

Completed applications

9
Completed applications
4 SME, 5 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Thursday 29 August 2019
Deadline for asking questions Thursday 5 September 2019 at 11:59pm GMT
Closing date for applications Thursday 12 September 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work There is a need to undertake continuous PEN testing/vulnerability assessments of existing and new features within our UC application.
Latest start date Thursday 31 October 2019
Expected contract length This will be a 2 year contract - initial Statement Of Work (SOW) for approximately 6 months.
Location London
Organisation the work is for Department for Work and Pensions
Budget range

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done In order to ensure that a key DWP application is able to support scaling and security requirements. In support of an Agile and adaptable programme of deployment, an application PEN testing/vulnerability assessment capability is required to augment the overall vulnerability management process.
Problem to be solved The scaling and security goals for the application have led to a strategy of commodity cloud hosting. There is a need to assess the application (release candidates) for vulnerabilities on an ongoing basis.
Who the users are and what they need to do Universal Credit Claimants will use the application to manage and progress their claim online. DWP Job Centre and Services Centre Agents will use the system to perform their roles in support of the Universal Credit Applicants.
Early market engagement
Any work that’s already been done
Existing team The supplier will be working alongside a multi-disciplinary team. This team consists of internal DevOps, QA, network engineers, Security and delivery / project managers. The team follows agile processes to prioritise and manage the activities.

The successful supplier will work within a multi-supplier team environment.
Current phase Live

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Caxton House,
Tothill Street,
London,
SW1H 9NA
Working arrangements On-site in London office for the majority of the time with some scope for remote working. The collaborative nature of the team means that face to face interaction and presence at daily stand-ups is essential.

Expenses are only provided if travel to other DWP offices is required.
Security clearance SC clearance is required for any individual or team who will be working on the project.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Demonstrate extensive knowledge and experience of secure development best practice such as OWASP and Safecode.
  • Demonstrate extensive knowledge and experience of undertaking application Penetration tests, using both manual and automated approaches.
  • Demonstrate extensive knowledge and experience of programming, particularly in Java, Python, and JavaScript.
  • Demonstrate extensive knowledge and experience of testing large applications with microservice architectures.
  • Demonstrate extensive knowledge and experience of testing API’s.
  • Demonstrate extensive knowledge and experience of testing within Continuous Integration (CI)/delivery pipelines
  • Demonstrate extensive knowledge and experience of infrastructure as code, particularly Terraform, Puppet and Ansible.
  • Demonstrate extensive experience of delivering web application security awareness sessions for development staff
  • Demonstrate knowledge and experience of testing cloud based applications.
  • Demonstrate knowledge and experience of writing Portswigger Burp Suite Extensions
  • Demonstrate knowledge and experience of static analysis tools, particularly Fortify Static Code Analyser and BlackDuck.
  • Demonstrate experience of the Building Security In Maturity Model (BSIMM) framework.
  • Demonstrate experience of providing CREST Certified Web Application Testers and/or CHECK Team Leader (Web applications) capabilities on testing engagements within agile delivery programmes.
Nice-to-have skills and experience
  • Experience working with AWS
  • Ability to provide technical leadership in multi-supplier team environments.

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Provide details of how you will taylor your service to accommodate the provision of a testing/development capability within the context of vulnerability assessment using agile methodologies
  • Clarify how your experience will enable you to deliver PEN testing/vulnerability assessment services in this context, clarifying how you will add value, delivery focus and technical leadership
  • Clarify how you will work with other parallel work streams, ensuring quality standards are maintained
  • Describe how you will gain at pace, a detailed understanding of the service and project requirements to allow rapid involvement in design and decision activities
  • Please provide a case study that demonstrates the successfully delivery of a similar project. Don't include any personal data, eg name, address or contact details.
Cultural fit criteria Based on your past experience, please outline your ability to respond to and align with the culture of the project
Payment approach Fixed price
Assessment methods Written proposal
Evaluation weighting

Technical competence

75%

Cultural fit

5%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. What is the IR35 status? We are not assessing IR35 status at this stage, as under this framework we are expecting an outcomes based contract. We will undertake an assessment if it's deemed necessary at a later stage.
2. Will DWP sponsor the SC process for any consultants who are not already cleared? Due to the urgent nature of the tasks, we will not be in a position to sponsor clearance on this occasion.
3. Will you support SC for the successful candidate? Due to the urgent nature of the tasks, we will not be in a position to sponsor clearance on this occasion.
4. Hello, is ISO27001 mandatory for this service? ISO27001 is not mandated.
5. Does the client have a process for testing or are we being asked to develop this aspect within this SoW? We currently have processes in place for testing, however where any areas of improvement are identified following commencement, we would welcome input from the supplier.
6. What delivery model is the client looking for, is this resource augmentation or a managed service? We are looking for a managed service.
7. What is the maximum budget? The budget range is 450-600k.
8. What is your budget range? The budget range is 450-600k.
9. Can the work be delivered under the CREST accreditation using SC Cleared CREST certified consultants? The work can be delivered by SC cleared CREST Certified Web Application Testers.
10. Is the 31/10/19 commencement date a fixed date for the purposes of the contract or can this be an estimated date? The 31/10/19 is the very latest. Ideally work is expected to commence 22nd October.
11. When will the successful supplier be awarded the work? We expect to award the work in the first/second week of October.
12. Please confirm whether the budget provided is for the initial Statement Of Work (SOW) for approximately 6 months, or the two year contract? The budget provided is for the 2-year contract in total.
13. The supplier evaluation states that the assessment method will be a written proposal, and the payment approach will be a fixed price. Will the proposal and price be expected at the next stage of this process, as this stage is simply to answer the questions provided with nowhere to provide a proposal or price? Please confirm the process. DOS procurements progress through two stages: Initial sift based upon responses to the advert criteria, and then once that's completed, Potential Suppliers progressing to round 2 are requested to provide a proposal. We would expect the pricing to be provided at that stage.